-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yml
135 lines (123 loc) · 3.76 KB
/
template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- AWS::Serverless-2016-10-31
Description: >-
A Lambda powering a custom CloudFormation macro returning the ARN of the
latest AWS LayerVersion available, based on a LayerVersion name or
LayerVersion ARN.
Parameters:
MacroName:
Description: >-
The name of the macro. The name of the macro must be unique across all
macros in the account.
Default: "LatestLayerVersion"
Type: String
KmsKeyArn:
Description: >-
A KMS key that will be used to encrypt logging data. Set to "NONE" to
disable logs encryption.
AllowedPattern:
"^(NONE|arn:(aws[a-zA-Z-]*)?:kms:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\\d\
{1}:\\d{12}:key/[0-9a-fA-F]{8}\\-[0-9a-fA-F]{4}\\-[0-9a-fA-F]{4}\\-[0-9\
a-fA-F]{4}\\-[0-9a-fA-F]{12})$"
Default: "NONE"
Type: String
Conditions:
ShouldEnableEncryption:
Fn::Not:
- Fn::Equals:
- "NONE"
- !Ref KmsKeyArn
Resources:
MacroFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName:
Fn::Sub: cfn_macro-${MacroName}
Description:
Fn::Sub: >-
Invoked by CloudFormation when deploying templates using the
"${MacroName}" custom macro: Returns the ARN of the latest
AWS LayerVersion available, based on a LayerVersion name or
LayerVersion ARN.
Role: !GetAtt MacroFunctionRole.Arn
CodeUri: ./latest_layer_version_macro/
Handler: lambda_function.lambda_handler
Runtime: python3.8
MemorySize: 128
Timeout: 300
Environment:
Variables:
LOG_LEVEL: INFO
MacroFunctionLogGroup:
Type: AWS::Logs::LogGroup
DependsOn:
- MacroFunction
Properties:
RetentionInDays: 30
LogGroupName:
Fn::Sub: "/aws/lambda/${MacroFunction}"
KmsKeyId:
Fn::If:
- ShouldEnableEncryption
- !Ref KmsKeyArn
- !Ref AWS::NoValue
MacroFunctionRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: ${MacroName}MacroFunction
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: LambdaListLayerVersions
PolicyDocument:
Statement:
- Effect: Allow
Action:
- lambda:ListLayerVersions
Resource:
- Fn::Join:
- ""
- - "arn:"
- !Ref AWS::Partition
- ":lambda:"
- !Ref AWS::Region
- ":"
- !Ref AWS::AccountId
- ":layer:*"
- PolicyName: LogsWrite
PolicyDocument:
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- Fn::Join:
- ""
- - "arn:"
- !Ref AWS::Partition
- ":logs:"
- !Ref AWS::Region
- ":"
- !Ref AWS::AccountId
- ":*"
Macro:
Type: AWS::CloudFormation::Macro
Properties:
FunctionName: !Ref MacroFunction
Name: !Ref MacroName
Description:
Fn::Sub: >-
The "${MacroName}" returns the ARN of the latest AWS LayerVersion
available, based on a LayerVersion name or LayerVersion ARN.